Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to achieve Session and Token authentication". In daily operation, I believe many people have doubts about how to achieve Session and Token authentication. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to achieve Session and Token authentication". Next, please follow the editor to study!

Preface

When our account password is logged in, how to ensure user authentication is a problem that every phper will encounter, from the beginning of Session to Token, let's learn about it with curiosity.

Session era

Web development uses the Http protocol, which was originally an anonymous, stateless request / response protocol. Such a simple design can make the HTTP protocol focus on the transmission of resources (HTTP is the hypertext transfer protocol); with the development of WEB, the business needs to determine the uniqueness of the client and introduce the concept of session session. The whole process of setting session by PHP is as follows. Let's explore the LNMP used by the server step by step:

1. Send a request.

Request http://test.com:8080/index.php.

two。 Open session and save the session according to the php.ini configuration.

First of all, we enable Session in the server code (because php.ini is not enabled by default, you need to open the program)

/ / enable sessionsession_start (); / / set the value of session, and later test whether $_ SESSION ['name'] =' phper';echo 'weclome to session startstores can be retrieved. Then check the path where session is saved in php.ini. If the file is saved by default, the path is / tmp, and the file name is sess_ {session_id}. Mainly view the following parameters: session.save_handler = files

Let's log in to the server to view the Session file in the / tmp directory.

The sess_689u7fiqejt70dujb9uk44eq79 file. (there may be a question here, how do we know session_id = 689u7fiqejt70dujb9uk44eq79? Once again, bury a foreshadowing. )

3. To view this request, the server response header carries session_id information.

Check the response header information, and this is where you know session_id = 689u7fiqejt70dujb9uk44eq79. That's why you looked at the file in step 2.

Where path=/ refers to the location where cookie stores the browser.

The browser saves the session_id locally on the client, and there is a cookie. As shown in the following figure:

4. Send the request again, and the request header carries the session_id request server

We just need to request the http://test.com:8080/index.php again, and the browser will carry the cookie that saves the session_id to the server in the request header. When we look at the request header, we can see:

5. Verify session_id to confirm the identity of the client

This operation is done by php's session mechanism. We can verify it by checking below to see if we can take out the $_ SESSION ['name'] we just set.

We modify the index.php code as follows:

/ / enable sessionsession_start (); / / set the value of session, and later test whether echo $_ SESSION ['name'] can be taken out. We request http://test.com:8080/index.php again, and the session_id information is carried in the request header:

Let's use another PostMan to simulate an illegal request to see if we can get $_ SESSION ['name'] content? There is no access to information.

Try, we take the previous cookie=689u7fiqejt70dujb9uk44eq79 to the request header in PostMan to see if we can get the information. You can get the information.

This is an introduction to the whole request process, and we can see that session_id information is very important. About PHP's configuration items and instructions for using Session

Token era

Projects in the web2.0 era use front-and back-end separation. User authentication in the way of Token is more popular. What problems can Token solve?

1.Token is completely managed by the application, so it can avoid the same origin policy

2.Token can avoid CSRF attacks

3.Token can be stateless and can be shared among multiple services

Stateful Token

Stateful Token records the relevant attributes of Token (eg:Token expiration time, etc.) on the server. We use a diagram to represent the issuance of token and verify the three scenarios where token,token expires.

Issue token

Server verifies token

Token expires

Stateless Token

Stateless Token is to store the relevant properties of Toekn (eg:Token expiration time, etc.) in Token, and JWT is a stateless Token. JWT is not described in detail here. Let's take a look at the following processes:

Issue token

Server verifies token

Therefore, the problem faced by stateful Token and stateless Token is that statefulness takes up server resources and is not conducive to distributed, micro-service and other architectures. Stateful can just solve this problem, but for stateless Token, there is no need for Token black-and-white list.

At this point, the study on "how to implement Session and Token authentication" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.